Blockchain-based anonymized cryptologic voting

ABSTRACT

A system may facilitate distributed ledger technology (DLT) record based (for example, blockchain-based) voting. A voter may distribute vote-value to answers using committed tokens that bind the voter to a particular vote-value without divulging the particular vote value while in a cryptographic form. The voter may distribute committed tokens to multiple answers. In some cases, the distribution of the committed tokens to multiple answers may frustrate attempts to determine the one or more targets to which the voter delivers a non-null vote-value.

PRIORITY

This application claims priority to U.S. patent application Ser. No.16/212,026, filed Dec. 6, 2018, and titled “Blockchain-Based AnonymizedCryptologic Voting,” which is incorporated by reference in its entirety.U.S. patent application Ser. No. 16/212,026 claims priority to RussianPatent Application Serial No. 2018103253, filed Jan. 29, 2018, andtitled “Electronic Voting and Verification in an e-Ballot VotingSystem,” which is incorporated by reference in its entirety.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to U.S. patent application Ser. No.16/212,187, filed on Dec. 6, 2018, titled Blockchain-Based AnonymizedCryptologic Ballot Organization, which is incorporated by reference inits entirety. This application is also related to U.S. patentapplication Ser. No. 16/212,228, filed on Dec. 6, 2018, now U.S. Pat.No. 10,388,097, titled Blockchain-Based Cryptologic Ballot Verification,which is incorporated by reference in its entirety.

TECHNICAL FIELD

This disclosure relates to blockchain-based cryptologic voting.

BACKGROUND

Rapid advances in electronics and communication technologies, driven byimmense customer demand, have resulted in newly emerging complexverifiable ledger systems. Improvements in the hardware and softwareimplementations of the underlying processing for the verifiable ledgersystems will increase the security, reliability, and speed of theimplementations.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an example balloting environment.

FIG. 2 shows the example balloting environment of FIG. 1 withindications of the flow of interaction within the environment.

FIG. 3 shows example anonymized cryptologic voting logic.

FIG. 4 shows example ballot organization logic.

FIG. 5 shows example ballot auditing logic.

FIG. 6 shows an example voting logic execution environment.

FIG. 7 shows an example organization logic execution environment.

FIG. 8 shows an example auditing logic execution environment.

FIG. 9 shows an example intermediary balloting environment.

FIG. 10 example intermediary vote-value compiling logic

DETAILED DESCRIPTION

Distributed ledger technologies (DLTs), backed by blockchain and othercryptographic structures provide a platform by which transactions may berecorded with protection from post-recording tampering. In ballotingsystems, including private organization voting (e.g., shareholdervoting, member voting, employee voting or other private organizationelections), municipal/state/federal elections, legislative voting,surveying, polling, or other question-answer systems DLTs allow for averifiable record (e.g., a virtual paper trail) including whereelections are performed remotely (e.g., over a telecommunicationsnetwork). Further, digital signatures and other digital identitytechniques allow for secure identification of voters, ballot organizers,and/or auditors.

In some cases, implementation on a DLT may allow for non-secretballoting. In some balloting systems, non-secret voting (e.g.,submission of an answer in a balloting system) may be practical. Forexample, in legislative voting or judicial responses the identity ofindividual voters may be a part of the public record.

In some cases, secret balloting may be implemented on a verifiable DLTrecord. The techniques and architectures discussed below provide averifiable DLT record while maintaining anonymity of voters (e.g., viapseudonymity or other obfuscation). The techniques and architecturesincrease the privacy of verifiable DLT balloting using tokens (e.g.,committed tokens, range-proof tokens, voter tokens, organizer tokens,result tokens, validity tokens, or other tokens), identifiers, and/orother cryptographic primitives to hide real voter identities and obscurethe content of individual votes. The techniques and architecturesincrease the security of secret balloting by providing a distributedledger (e.g., backed by a cryptographic structure) that may be auditedby nodes under the control voters, organizers, and/or third parties.Thus, balloting done in accord with the techniques and architectures maybe later verified for accuracy and validity by stakeholders. Invalid ortampered results may be rejected. In some cases, auditors may recordtheir certifications of the vote to the DLT record further increasingthe security and confidence in the balloting system. The techniques andarchitectures increase the efficiency and flexibility of secretballoting by using one or more of the aforementioned cryptographicprimitives and/or cryptographic structures which may operate inlocalized or networked computer environments. Accordingly, environmentsimplementing example implementations provide for increased efficiency bypreserving secrecy of ballots and secure identity without necessarilyrequiring physical travel or gathering of the parties involved in theballoting. In sum, the discussed techniques and architectures (includingtokens, identifiers, distributed ledger, and cryptographic structures)provide technical solutions to the technical problems of increasing theprivacy, security, efficiency, and flexibility of balloting systems.Accordingly, the discussed techniques and architectures provideimprovements over existing market solutions.

FIG. 1 shows an example balloting environment 100. In the exampleenvironment 100 nodes 102 store (e.g., in whole or in part) a DLT record104, such as distributed ledger stored as a blockchain or othercryptographic structure, in memory. The nodes 102 may form a distributednetwork by redundantly storing the DLT record 104 and achievingconsensus regarding transactions and updates posted to the DLT record.Various sequencing consensus mechanisms and/or DLT architectures may beused (e.g., Bitcoin, Ethereum, or other DLT environments). In somecases, a node may hold information on a state of the DLT record relevantto the node's transactions, the node may not necessarily store portionsof the DLT record beyond the relevant information

FIG. 2 shows the example balloting environment 100 along withindications of the flow of tokens, data, and interactions within theexample balloting environment 100. The flow of tokens is shown among thenodes. However, in various implementations, the flow of tokens may beimplemented through transaction recorded on the DLT record. Accordingly,a node may not necessarily pass a physical token or data representationto another node, but may record a passage of control/ownership of thetoken to a DLT record. A cryptographic structure may include datagroupings, such as blocks, that are linked to others of the datagroupings via cryptographic primitives, such as hashes. For example, ina blockchain, a series of blocks may be linked and protected from datatamper by the blocks in the series that include hashes to the previousblocks in the series. Cryptographic primitives may include hashes,commitments, certificates, signatures, keys, identifiers, ciphers, stateinputs, or other cryptographic entities that may provide secureidentity, data integrity, data obfuscation, or other security features.

The nodes 102 may transact on the DLT record 104 on the behalf of one ormore roles (e.g., voters 110, organizers 120, answers 130, auditors 140,and/or other roles). The nodes 102 may adopt one or more roles viaidentifiers (e.g., voter identifiers 112, organizer identifiers 122,answer identifiers 132, auditor identifiers 142, and other identifiers).In some cases, a role may be adopted by a node without any particularidentifier, for example a node may, in some cases, assume an auditorrole without pre-designated identifier. In some cases, a node acting inan auditor capacity may provide an identifier to distinguish from otherauditor nodes or other participating nodes. The identifiers may includepublic keys (e.g., for use in asymmetric encryption algorithms)associated with individual members of the various roles.

A node 102 may act within a role, e.g., as a voter 110, organizer 120,answer 130, auditor 140, or other role, based on virtually any authoritysystem for assigning roles or authentication of logon credentials. Forexample, an organizer may self-assign the organizer role and thendesignate voters and answers. In the example, auditors may includevolunteer participants and may self-assign. Other configurations may beused. A node may access private keys for a role (e.g., paired to publickeys for the role) upon grant of access based on role assignment/logon.

The organizer 120 may establish a ballot 150, e.g., a set of answers 130with answer identifiers 132, an organizer token 124 holding thevote-value for the ballot 150. In various implementations discussedthroughout the disclosure, a ballot, e.g., through its digitalstructure, may include a set of allowed answers for a vote and definerules for a valid vote. The organizer may designate voters 110. Theorganizer may distribute the established vote-value in the organizertoken 124 to the voters via voter tokens 114. In various implementationsthroughout the disclosure, a voter token may include a data structurethat uses cryptographic primitives to transfer vote value to a voter.The voter token may be recorded within a voter transaction.

The voters 110 may receive the voter tokens 114. The voters 110 maydistribute the vote-value in the voter tokens to the answers 130. Insome cases, the vote-value in voter tokens may be binary (e.g., yes/no),integer (e.g., n votes), or fractional (e.g., votes may be split accordwith decimal values). In some cases, vote-value transfers may beconfined to a specific range. For example, the organizer 120 mayconfigure a ballot 150 such that negative vote-values are disallowed toprevent a voter from conferring useless negative vote-value to oneanswer thereby increasing the vote-value that voter may confer toanother answer.

Voters may send vote-value to answers using committed tokens 134. Invarious implementations throughout the disclosure, committed tokens maycontain a cryptographic commitment to the vote-value conferred in thecommitted token. The commitment does not reveal the vote-value. However,any later revealed vote-value may be compared against the commitment.For example, the commitment algorithm may be applied to the revealedvote-value to recreate the commitment in the committed token. If therecreated committed value does not match, the committed value in thecommitted token the reveal vote-value can be identified as invalid.

To obfuscate which answers the voter confer vote-value, the voters mayalso confer null vote-value (e.g., zero or otherwise valuelessvote-value) to answers. For example, a voter 110 may outwardly appear tosend a token to every answer. However, some portion of the tokens sentmay be null tokens. This may frustrate attempts to determine aparticular voter's answer selections by monitoring which answers 130received tokens from the voter.

In some implementations, homomorphic commitments may be used within thecommitted tokens. Homomorphic commitments have the property that the sumof the commitment is equal to the commitment of the sum. Homomorphiccommitments may support aggregate vote-value verification. For example,an auditor 140 may check that the sum of the tokens received by theanswers 130 is equal to the sum of tokens sent by the voters 110. Thischeck by the auditor 140 may be done without reliance on knowledge ofthe individual votes of the voters 110.

The token transfers (e.g., from the organizers 120 to the voters 110 andfrom the voters 110 to the answers may be recorded on the DLT record 104to preserve the integrity of the transactions for later verification andto create an immutable (e.g., functionally immutable) virtual papertrail. For example, without cooperation from at least a large minority(e.g., one third, one half, or other portion depending on the consensusprocedure used with the DLT) of participating nodes, the DLT recordcannot be changed without creating inconsistences with data-integritycryptographic primitives (e.g., hashes, checksums, or other dataintegrity protecting primitives). Further, without universalcooperation, evidence of a DLT fork may be maintained by nodes. Thus,attempts to surreptitiously change voting results stored on a DLT recordmay be frustrated by the constraints against any one node making changesto a DLT record.

Nodes 102 may perform multiple roles simultaneously. For example, twoseparate identities (e.g., a vote and an organizer) may be served by asingle node. Further, particular identities may serve multiple roles.For example, an organizer may be a voter and/or answer. Auditors mayalso be voters, organizers, or answers. Other combinations are possible.

Additionally or alternatively, roles may be executed by non-participantnodes. For example, a particular node may not necessarily have writeprivileges for the ballot system DLT record (e.g., a non-participantnode). However, the particular node may represent one or more roles. Theparticular node may execute the tasks of the roles by requesting DLTrecordation from participant nodes. Therefore, a user performing a rolemay not necessarily need to log on to a node that is a participant inthe DLT itself. In an example scenario, a user performing a voter rolemay log on to a remote terminal and execute votes by sending messagesrequesting DLT transactions rather than appending the DLT transactionsdirectly by the remote terminal.

Below, in reference to FIGS. 3, 4, and 5 example logic to support theoperation of voters 110, organizers 120, and auditors 140 is discussed.Referring now to FIG. 3, which shows example anonymized cryptologicvoting logic (ACVL 200). The ACVL 200 may be implemented on circuitry,e.g., cryptologic voting circuitry. The ACVL 200 may access the DLTrecord 104 to obtain a ballot for which the voter 110 intends to cast avote (202). The ballot may designate answers 130 by providing answeridentifiers 132 for the answers. The answer identifiers may includepublic keys assigned to the answers 130. The public keys may allowvoters to address a committed token 134 to an answer by encrypting thecommitted token (or portions thereof) with the public key of the answer.

The ACVL 200 may also receive a voter token on behalf of the voter(204). The voter token may be sent by the organizer 120 and addressed tothe voter identifier of the voter. Similarly, a public key of the votermay serve as the voter identifier. The ACVL 200 may determine an amountof vote-value conferred to the voter through the voter token (206).Vote-value is the voting power assigned to the voters to implement theballot. The voters 110 receive vote-value through tokens from theorganizer 120. The voters may then assign the received vote-value to oneor more answers. The vote-value received by the answers may be totaledto determine the winning answers in accord with conditions for victorysetup by the ballot. For example, conditions may include receiving morevote-value (e.g., a plurality of the vote value) than other answers,receiving a majority of the vote-value, exceeding a defined vote valuethreshold, or other conditions. Further, multiple conditions may becombined.

In response to voter input, the ACVL 200 may determine a portion of thereceived vote-value to commit to a target answer (208). For example, ina binary vote-value system, the ACVL 200 may commit the entire votevalue to the target answer. In an integer system, a discrete sum (whichmay be less than the entirety) may be committed by the ACVL 200. Once acommitment has be determined, the ACVL 200 may generate a committedtoken that binds the voter 110 to the determined vote-value commitment.The committed token 134 may implement a cryptographic commitment to bindthe voter. As one illustrative example, the committed token 134 maycontain a hash of the committed vote-value. In various implementationsthroughout the disclosure, committed vote-value may include a determinedamount of vote-value that is intended to be transferred in atransaction. The vote-value becomes “committed” when the transferringparty generates a cryptographic commitment that designates the amount.The cryptographic commitment prevents the transferring party from beingable to later claim a different amount was designated for transfer.Accordingly, any party asserting that the vote-value committed by theACVL 200 is a particular amount can be checked by hashing their assertedamount. If the hashed output does not match the hash in the committedtoken, the asserted amount is inaccurate. However, other cryptographicprimitives may be used to form commitments.

In some implementations, a commitment from the class of homomorphiccommitments may be used in place of the hash described above. Ahomomorphic commitment is a commitment that has the additional propertythat the sum of two commitments is the commitment of the sum, e.g.,Commit(a)+Commit(b)=Commit(a+b).

Examples of such distributions are: a voter distributes its ballots overthe answers, or an intermediary distributes its ballots over the votersit represents

One example homomorphic commitment (C) may include:C=aA+bB  (Eq.1)

where, A is a first point on an elliptic curve (e.g., an amount point)and B is a second point on the elliptic curve (e.g., a blinding point).aA is the amount term and bB is the blinding term. The factor a is thevote-value. The factor b is a blinding factor that obfuscates thevote-value a. In some cases, b may be chosen through random selection(e.g., pseudorandom, random, or other non-deterministic selection). Insome implementations, the allowed range for b may be large to frustrateattempts to determine committed tokens by determining that larger valuesC may be more likely to have non-zero vote-value. For example, the rangeof b may be on the order of the elliptic field size of the curvegenerated by the function G (see below). B may be determined based on A.In some cases, the B may be related to A via a hash function tofrustrate attempts to predict B for all A. For example, B may bedetermined using:B=P(H(A))  (Eq.2)

where H is a hash function and P is a function that converts the hashoutputs of H to points on the elliptic curve. An example hash functionmay include the SHA256 algorithm. However, other hash functions may beused.

A may be determined using the generation function of the elliptic curveand a shared key k. Accordingly, A may be determined by computing:A=G(k)  (Eq.3)

The organizer, or ballot organization logic (BOL) 300 on behalf of theorganizer, may determine the generation function G and the shared key k.The organizer 120 may establish A and B by providing k and G andallowing participants (e.g., voters 110, answers 130, auditors 140) tocompute A and B. The BOL 300 may also designate the hash function H andthe function P.

An example committed token using the above commitment C may include:[CT]=(C,E _(i)(a),E _(i)(b))  (Eq.4)

where, [CT] is the committed token structure and E_(i) designatesencryption based on the identifier (e.g., a public key) of the recipientof the vote-value. Accordingly, while the second and third fields of theexample committed token are in an encrypted form (e.g., a cryptographicform), the committed token publicly binds the voter (or other conferrerof vote-value) to the committed vote value a without disclosing a untilE_(i)(a) is decrypted.

In some cases, to further obfuscate a, a random “salt,” s, may be addedto a before application to C.

The summation property of homomorphic commitments discussed above may beused by the AVCL in subsequent transfers of vote-value. Once a recipienthas received a token, including a commitment on its value a by thesender of the token, and an encrypted vote-value (e.g., the value a),the recipient may distribute this token to two or more furtherrecipients. The homomorphic property may be used by the sender to createthe commitments to these new recipients' tokens. For example, for adistribution into two parts a1 and a2 (where the values a1 and a2 sum upto the value a originally received: a1+a2=a) the commitments to a1 anda2 sum up to the commitment of a: C(a1)+C(a2)=C(a1+a2)=C(a). Thus, theAVCL may generate a verification sum using the homomorphic property andverify that the sum (e.g., verfication sum) of transferred vote valuematches the vote value in the source token(s). In variousimplementations throughout the disclosure, a verfication sum may includea sum (or information related to the sum) of the vote-value in one ormore tokens used to confirm that a valid amount of vote-value wastransferred within the summed tokens.

Once the ACVL 200 generates the committed token, the ACVL 200 mayrequest a target transaction to record the assignment of the committedtoken to the target answer (210). To establish the authenticity of thetarget transaction, the ACVL 200 may use a cryptographic key associatedwith the voter identifier of the voter. For example, the voteridentifier may include a public key and the cryptographic key mayinclude a private key paired to the public key. The ACVL 200 mayestablish the authenticity of the target transaction by digitallysigning the committed token using the private key.

The ACVL 200 may account for the target transaction by deducting thecommitted vote value from the voter vote-value received from the votertoken (212).

The balloting system, including the ACVL 200, the BOL 300, and theballot audit logic (BAL) 400, may operate in a variety of different DLTenvironments. For example, the balloting system may be applied insystems using an unspent outputs transaction model, an accounttransaction model, or other transaction model. In an example systemhaving an unspent outputs transaction model, the ACVL 200 may generate arest token (e.g., with the same structure as the committed token) thatconfers the remainder vote-value, e.g., the voter vote-value with thecommitted vote-value deducted, back to the voter 110. The rest token maybe included in the target transaction. In some cases, where thecommitted token transfers all remaining vote-value, the rest token mayinclude a token holding a null vote-value. In an example system in anaccount transaction model, the committed vote-value may be deducted froman account storing the voter vote-value for the voter.

In various implementations, any of the vote-value conferring tokens(e.g., organizer tokens, voter tokens, rest tokens, or other vote-valuetransferring tokens) may use the structure (e.g., the structure inEquation 4 above or other token structure) and cryptographic primitivesused in the committed token discussed above.

The ACVL 200 may include a range-proof token along in the targettransaction along with the committed token (214). The range-proof tokenmay be used, e.g., by a node acting in an auditor role, to publicallyestablish that the committed value transferred by the committed tokenfalls within a designate range. In some cases, an organizer maydesignate allowed ranges for vote-value transfers. For example, negativenumbers may be disallowed and/or numbers above/below a designatedthreshold vote-value may be disallowed. The range-proof token mayestablish that the committed vote-value falls within the range withoutnecessarily publically disclosing the committed vote-value. Informationmay be considered to be publically disclosed when made accessiblewithout access to one or more secret (e.g., private) cryptographic keys.

Various range proofs may be implemented within the range-proof token.For example, the example range-proof discussed in Russian PatentApplication Serial No. 2018103253, filed 29 Jan. 2018, and titledElectronic Voting and Verification in an e-Ballot Voting System,previously incorporated by reference herein may be used. Therein, anexample range proof based on Borromean signatures with (t+1)log₂(M)rings with two keys (L, L′) per ring is described. The range proof mayestablish that the committed value is within the allowed range, e.g.,[0, M]. The signatures are also discussed in Maxwell, G. and PoelstraA., Borromean Ring Signatures, 2015, accessible at:https://github.com/Blockstream/borromean_paper/raw/master/borromean_draft_0.01_9ade1e49.pdf

A range-proof token including a range proof for a committed value may beincluded within the same transaction that conveys the committed token.Additionally or alternatively, the range-proof token may be included ina different transaction. In some cases, multiple range proofs may begenerated for a single committed token. For example, a first range-prooftoken may establish that the committed value is within [N, M] and then asecond range-proof token may establish that the committed value iswithin [X, Y] where N, M and X, Y establish different ranges.

To establish the authenticity of the range-proof token, the ACVL maysign the range-proof token use the cryptographic key associated with thevoter identifier.

The ACVL 200 may determine another portion of the voter vote-value tocommit to a completion answer (216). The ACVL 200 may send tokens tomultiple answers to obfuscate which answers the voter 110 selects. In anexample scenario, the ACVL 200 may send a committed token to each of theanswers (some of which may be null, e.g., a committed token containing azero-value vote-value) to frustrate attempts to determine the voter'svoting pattern by monitoring which answers receive tokens. The ACVL 200may generate completion committed tokens (e.g., committed tokensgenerated to complete determined distribution to the answers and/orensure that multiple answers receive committed tokens from a voter) toensure that multiple answers receive committed tokens from the voter. Insome cases, multiple committed tokens may be transferred in a singletransaction. In various implementations throughout the disclosure,designations such as “target” or “completion” may be used for namingconvenience to establish a contextual order, but may not necessarilydesignate a technical distinction. For example, a “target” committedtoken may be a committed token sent within the course of a vote a“completion” committed token may designated a final or later token sentwithin the course of a vote. Accordingly, technical features applying to“target” designations may apply equally to “completion” designations.

The ACVL 200 may sign the token and request recordation of a transactionfor the completion token (218). The ACVL 200 may include range-prooftokens corresponding to the completion tokens (220). In some cases, suchas the example range proof described in Russian Patent ApplicationSerial No. 2018103253, filed 29 Jan. 2018, and titled Electronic Votingand Verification in an e-Ballot Voting System, previously incorporatedby reference herein, a single range-proof token may provide range-proofsfor multiple tokens.

In some cases, where a homomorphic commitment is implemented, the ACVL200 may provide a summation token which may allow verification based onthe property that the sum of the homomorphic commitments is equal to thecommitment of the sum.

In various implementations, the ACVL 200 may include a reference to asource token (e.g., the origin of the vote-value to be distributed inthe transaction, for example, a voter token 114, rest token, or othertoken) and the summation token within transactions (222). The summationtoken in concert with the transferred committed tokens may be analyzedin reference to the source token. Through the analysis, the total votevalue in the source token may be compared to the total vote-valuetransferred by the multiple committed tokens and/or rest tokens in thetransaction. If the vote value in the source token matches thetransferred vote value, the transaction may be valid. Because thetransaction may include rest tokens, a voter 110 (or other role)transferring vote value need not necessarily transfer (e.g., to others)the entire vote-value in the source token to have the vote-value intokens in the transaction equal to the vote-value in the source token.In other words, the voter 110 may retain vote-value through rest tokens.

In some cases, the summation token may be combined in function withother tokens. For example, summation information may be extracted fromthe example range proof described in Russian Patent Application SerialNo. 2018103253, filed 29 Jan. 2018, and titled Electronic Voting andVerification in an e-Ballot Voting System, previously incorporated byreference herein. Accordingly, range-proof tokens using the examplerange proof may serve as summation tokens. To verify the committedtokens, the ACVL 200 (or other logic, BOL 300, BAL 400) may sum over thekeys L from the example range-proof token. In the example, the sum ofthe keys L may be equal to the source token when the vote-valuetransferred by the tokens in the transaction is equal to the vote-valuein the source token. The consistency of the keys L with the tokens inthe transaction may be verified by executing the range proofs on thetokens. In various implementations throughout the disclosure, summationinformation may include information that may support the determinationof a sum of vote-value for the generation of a verification sum.

In an example transaction, the ACVL 200 may transfer multiple committedtokens (e.g., n committed tokens) with reference to a source token and arange proof. An example structure may include:[Transact]=[[ST],P[L ₁ ,L′ ₁ ; . . . ;L _(n) ,L′ _(n)],[CT]₁, . . .,[CT]_(n), [RT]]  (5)

where [ST] is the source token, P is the range-proof token including thekeys L and L′ for the n committed tokens, and [RT] is a rest token. Theverification of the transaction may further include verifying the sourcetoken was assigned to the identifier of the requester of thetransaction.

Referring now to FIG. 4, example BOL 300 is shown. In variousimplementations, the BOL 300 may be used to setup ballots on behalf ofthe organizer role. The BOL 300 may be implemented on circuitry, e.g.,ballot organization circuitry. The example BOL 300 may generate a ballotwith answers (302). The answers may have corresponding answeridentifiers. For example, the ballot may designate individual publickeys for the answers.

Voters (e.g., via the ACVL 200) may use the answer identifiers to directcommitted tokens assigning vote-value to the answers in accord withtheir voting preferences and obfuscation scheme.

The BOL 300 may designate an allowed range for vote-value transfers forthe ballot 150 (304).

To setup an initial supply of vote-values to distribute to voters, theBOL 300 may generate an organizer token (306). In variousimplementations throughout the disclosure, an organizer token mayinclude a cryptographic data structure that may be generated to transfer(or initiate transfer through third-party intermediaries) an initialdistribution of vote-value to voters.

The BOL 300 may establish the ballot by requesting a transactionrecording the ballot 150 to the DLT record (308). Additionally oralternatively, the transaction may establish the organizer token.

In an example, the transaction establishing the ballot (e.g., with nanswers) may have the structure:[Transact]=[[OT]′,Bal[AI₁, . . . ,AI_(n),{Range},{TType},k,G,H]]  (6)

where [OT]′ signifies a non-transfer establishment the organizer token,Bal is the ballot, AI are the answer identifiers, {Range} is a fielddesignating the allowed range for vote-value transfers, {TType} is afield designating allowed token types (e.g., binary, integer, decimal,or other vote types), k is the key for generation of the amount point, Gis the generation function for the elliptic curve, and H is the hashfunction for generation of the blinding point from the amount point. Insome cases, the BOL 300 may digitally sign the ballot, for example,using a private key associated with a public key established by the BOL300 as the organizer identifier.

In some cases, the ballot may further designate voter identifiers forallowed voters for the ballot.

In some cases, the BOL 300 may designate voters through the transfer ofvote-value via voter tokens. In other words, the reception of vote-valueat a particular identifier entitles a vote. In some implementations, thesystem may disallow answers from retransferring (e.g., as second-roundvoters) vote-value received from voters in committed tokens. In otherwords, committed tokens would not be valid source tokens. For example,vote-value in organizer tokens, voter tokens, and rest tokens may beretransferred after receipt, but vote-value in committed token may bedisallowed for retransfer. Further, the organizer may use one or moreintermediaries to distribute vote-value to the voters. For example, theorganizer may transfer vote-value to an intermediary which may transferthat vote-value (or a portion thereof) to a voter. Multiple layers ofintermediaries may be used. In some implementations, any token,including committed tokens, containing vote-value may act as a sourcetoken. Received vote-value may be passed among the voters and answersuntil the election ends.

In various implementations, the election may be ended in response to anevent (e.g., a vote-value threshold achieved by an answer, a requestfrom an organizer or other role, a final voter casting a vote, or otherevent) or at a designated time. The BOL 300 may establish conditions forending the vote within the ballot.

The BOL 300 may determine a vote-value distribution (310). In variousimplementations throughout the disclosure, the vote-value distributionmay detail the quantity of vote-value that may be transferred theindividual voters.

The BOL 300 may distribute the vote-value, e.g., in accord with thevote-value distributions, to voters by requesting a transactiontransferring voter tokens to the voters (312). The vote-value conferredto the voters (e.g., conferred vote-value) may be deducted from theorganizer vote-value established by the organizer token (314). Thetransaction may further transfer a rest token back to the organizer,which may allow the organizer to advance to a voter role or continue todistribute vote-value to voters with the remaining vote-value in therest token.

In an example, the transaction transferring the voter tokens (e.g., nvoter tokens) may have the structure:[Transact]=[[OT],[VT]₁, . . . ,[VT]_(n),[RT]]  (7)

where [OT] is the organizer token (e.g., the source token), [VT] are thevoter tokens, and [RT] is a rest token. Although not shown, thetransaction may further include a summation token and/or range-prooftokens to support verification.

Referring now to FIG. 5, example BAL 400 is shown. In variousimplementations, the BAL 400 may be used to audit transactions relatedto ballots on behalf of the auditor role. The BAL 400 may be implementedon circuitry, e.g., ballot auditing circuitry. The BAL 400, e.g.,through its operation, may increase the security and accuracy of aballoting system via technical solutions. The BAL 400 may verifytransactions for accuracy and integrity using analysis and, in somecases, recordation of cryptographic primitives and structures.

Referring now to the operation of the BAL 400, the BAL may access aballot recorded on one or more DLT records. For example, the BAL 400 mayaccess a ballot previously setup by the BOL 300 on behalf of anorganizer (402). The BAL 400 may access a voter transaction forverification. In various implementations throughout the disclosure, avoter transaction may include a DLT record of the transfer of vote valuefrom The voter transaction may include one or more committed tokensand/or other tokens, such as range-proof tokens, rest tokens and/orsummation tokens. The voter transaction may reference a voter tokenand/or a rest token that may serve as the source token for the votertransaction. The BAL 400 may access the voter token, e.g., from anorganizer transaction that originally conferred the voter token. Theverification may be applied to virtually any transaction recorded on theDLT. Accordingly, the BAL 400 may verify individual transactions and/orentire voting processes.

The BAL 400 may compare the intended recipient of the voter token to theidentifier of the voter that requested the voter transaction (404).Through the comparison, the BAL 400 may confirm that the source of thevote-value underlying the voter transaction was owned by the voter thatrequested the voter transaction. In some cases, this may frustrateattempts to secretly cast votes using vote-value owned by another voter(or other entity).

Additionally or alternatively, the BAL 400 may access the DLT record toverify that the voter token has not be previously used in another votertransaction (406). In other words, the BAL 400 may verify that the votertoken is not “double spent.”

The BAL 400 may access summation information for the committed tokenswithin the voter transaction (408). For example, the BAL 400 may accessa summation token (or other token usable as a summation token, such as,as a range-proof token based on the example range-proof discussedabove).

The BAL 400 may compare the summation information to the voter token (orother source token) (410). The BAL 400 may use the comparison todetermine whether the vote-value transferred (e.g., via committed tokensand/or rest tokens) in the voter transaction matches the votervote-value in the voter token. The BAL 400 may also verify othertransaction types (e.g., organizer transactions) using the abovediscussed logic.

Responsive to the determining whether a match is present, the BAL 400may generate a validity indication for the voter transaction (412). Invarious implementations throughout the disclosure, the validityindication may confirm valid voter transactions and/or mark invalidtransactions. In some cases, generating a validity indication, whichmay, for example, include a cryptographic primitive such as a digitalsignature signing a data indication that a particular vote (orindividual voter transaction within a vote) is valid, may be accompaniedby sending the validity indication to the voter that requested the votertransaction and/or the organizer. In some cases, the BAL 400 may sendthe validity indication to a selection of and/or all participants (e.g.,a broadcast or multicast) in the vote.

In various implementations, the validity indication may be recorded tothe DLT record as a validity token. The validity token may include areference to the voter transaction and the validity indication. In somecases, the validity token may be digitally signed by the BAL 400 onbehalf of the auditor. The more distinct auditors that agree on a signvoter tokens indicating validity/non-validity of a voter transaction—themore likely that the conclusion of the auditors is correct and reliable.

In some implementations, that voter may have an opportunity to correctan invalid transaction responsive to an indication of non-validity. Forexample, corrections may be allowed before the election is ended. TheACVL 200 may request a new transaction that references the oldtransaction. The new transaction may redistribute the voter token (orother source token) in a different manner to attempt to achievevalidity.

In various implementations, invalid transactions may be ignored. Forexample, participants may treat operate as if the transaction did notoccur. In some cases, transactions dependent on an invalid transactionmay also be ignored.

In some implementations, one or more invalid transactions may invalidatean entire election. For example, an organizer may invalidly distributean organizer token into voter tokens. The voter tokens distributed inthis manner may be invalid. Hence, the voters placed using these votertokens may be invalid. Therefore, an election as a whole may be invalidresponsive to an invalid organizer transaction.

In some cases, an election may be invalid based on a threshold number ofinvalid transactions. For example, if a majority (or other fraction) ofthe voter transactions are invalid, the entire election may beinvalidated. In some cases, the threshold number may be determined basedon the results. For example, if the vote-value purportedly transferredin the invalid transactions could have changed the election result, theelection may be invalidated.

Additionally or alternatively, the BAL 400 may verify transactions byperforming range-proofs (e.g., by accessing range-proof tokens) on theindividual tokens transferred by the transactions. The BAL 400 mayaccess a range-proof token (414). The BAL 400 may perform therange-proof (416). In various implementations, the validity token (e.g.,generated in 412 above) may include a validity indication based on therange-proof in addition to or in place of the verification based on thesummation information.

The ACVL 200, BOL 300, and/or the BAL 400 may be implemented oncircuitry present in various execution environments. FIGS. 5, 6, and 7show example execution environments for the ACVL 200, BOL 300, and/orthe BAL 400. In various implementations, underlying hardware forimplementing the execution of any of the ACVL 200, BOL 300, and/or theBAL 400 may be used to implement execution or one more of the others.

Referring now to FIG. 6, an example voting logic execution environment(VLEE) 500 is shown. The example VLEE 500 may serve as a hardwareplatform for the ACVL 200. The VLEE 500 may include system logic 514.The system logic may include processors 516, memory 520, and/or othercircuitry.

The memory 520 along with the processors 516 may support execution ofthe ACVL 200. The memory 520 may further include applications andstructures 566, for example, coded objects, templates, or otherstructures to support voter token reception, committed tokendistribution, and generation of tokens.

The VLEE 500 may also include communication interfaces 512, which maysupport wireless, e.g. Bluetooth, Wi-Fi, WLAN, cellular (4G, LTE/A),and/or wired, Ethernet, Gigabit Ethernet, optical networking protocols.The communication interfaces 512 may also include serial interfaces,such as universal serial bus (USB), serial ATA, IEEE 1394, lightingport, I²C, slimBus, or other serial interfaces. The VLEE 500 may includepower functions 534 and various input interfaces 528. The VLEE may alsoinclude a user interface 518 that may include human-to-machine interfacedevices and/or graphical user interfaces (GUI). In variousimplementations, the system logic 514 may be distributed over multiplephysical servers and/or be implemented as a virtual machine.

In some cases, the VLEE 500 may be a specifically defined computationalsystem deployed in a cloud platform. In some cases, the parametersdefining the VLEE 500 may be specified in a manifest for clouddeployment. The manifest may be used by an operator to requisition cloudbased hardware resources, and then deploy the logical components, forexample, ACVL 200, of the VLEE 500 onto the hardware resources. In somecases, a manifest may be stored as a preference file such as a YAML (yetanother mark-up language), JavaScript object notation (JSON), or otherpreference file type.

Referring now to FIG. 7, an example organization logic executionenvironment (OLEE) 600 is shown. The example OLEE 600 may serve as ahardware platform for the BOL 300. The OLEE 600 may include system logic614. The system logic may include processors 616, memory 620, and/orother circuitry.

The memory 620 along with the processors 616 may support execution ofthe BOL 300. The memory 620 may further include applications andstructures 666, for example, coded objects, templates, or otherstructures to support organizer token establishment, ballotgeneration/establishment, and generation of tokens.

The OLEE 600 may also include communication interfaces 612, which maysupport wireless, e.g. Bluetooth, Wi-Fi, WLAN, cellular (4G, LTE/A),and/or wired, Ethernet, Gigabit Ethernet, optical networking protocols.The communication interfaces 612 may also include serial interfaces,such as universal serial bus (USB), serial ATA, IEEE 1394, lightingport, I²C, slimBus, or other serial interfaces. The OLEE 600 may includepower functions 634 and various input interfaces 628. The OLEE may alsoinclude a user interface 618 that may include human-to-machine interfacedevices and/or graphical user interfaces (GUI). In variousimplementations, the system logic 614 may be distributed over multiplephysical servers and/or be implemented as a virtual machine.

In some cases, the OLEE 600 may be a specifically defined computationalsystem deployed in a cloud platform. In some cases, the parametersdefining the OLEE 600 may be specified in a manifest for clouddeployment. The manifest may be used by an operator to requisition cloudbased hardware resources, and then deploy the logical components, forexample, BOL 300, of the OLEE 600 onto the hardware resources. In somecases, a manifest may be stored as a preference file such as a YAML (yetanother mark-up language), JavaScript object notation (JSON), or otherpreference file type.

Referring now to FIG. 8, an example auditing logic execution environment(ALEE) 700 is shown. The example ALEE 700 may serve as a hardwareplatform for the BAL 400. The ALEE 700 may include system logic 714. Thesystem logic may include processors 716, memory 720, and/or othercircuitry.

The memory 720 along with the processors 716 may support execution ofthe BAL 400. The memory 720 may further include applications andstructures 766, for example, coded objects, templates, or otherstructures to support transaction verification, range-proof execution,and generation of validity tokens.

The ALEE 700 may also include communication interfaces 712, which maysupport wireless, e.g. Bluetooth, Wi-Fi, WLAN, cellular (4G, LTE/A),and/or wired, Ethernet, Gigabit Ethernet, optical networking protocols.The communication interfaces 712 may also include serial interfaces,such as universal serial bus (USB), serial ATA, IEEE 1394, lightingport, I²C, slimBus, or other serial interfaces. The ALEE 700 may includepower functions 734 and various input interfaces 728. The ALEE may alsoinclude a user interface 718 that may include human-to-machine interfacedevices and/or graphical user interfaces (GUI). In variousimplementations, the system logic 714 may be distributed over multiplephysical servers and/or be implemented as a virtual machine.

In some cases, the ALEE 700 may be a specifically defined computationalsystem deployed in a cloud platform. In some cases, the parametersdefining the ALEE 700 may be specified in a manifest for clouddeployment. The manifest may be used by an operator to requisition cloudbased hardware resources, and then deploy the logical components, forexample, BAL 400, of the ALEE 700 onto the hardware resources. In somecases, a manifest may be stored as a preference file such as a YAML (yetanother mark-up language), JavaScript object notation (JSON), or otherpreference file type.

As discussed above, the underlying hardware of the executionenvironments may concurrently implement multiple ones of the executionenvironments. In some cases, concurrent implementation may be used tosupport operation of a particular node in accord with multiple roles.Further, any of the VLEE 500, OLEE 600, and ALEE 700 may be used toimplement the decryption and analysis operations of the answer roles.

Moving now to a discussion of voter anonymity, in variousimplementations, committed tokens may preserve voter pseudonymity. Forexample, an answer may be able to determine which voter identitiesprovided committed tokens to that answer. In other words, a voter may beanonymous to general auditors (e.g., general auditors may notnecessarily know which answers a particular voter identity sent non-zerovote-value to), but pseudonymous to the answer roles (e.g., the answermay have knowledge of particular vote-value amounts transferred fromparticular voter identifiers). However, through history analysis, databreach, or the security lapses, a pseudonymous voter identity may beconnected to a personal identity of a voter.

In some implementations, vote-value compiling (e.g., mixing and/or otherintermediary role obfuscation) may be used to provide additionalprotection for voter anonymity against answer roles. FIG. 9 shows anexample intermediary balloting environment 800. In the intermediaryexample balloting environment 800, voters 110 send committed tokens toan intermediary 810, e.g., via an intermediary identifier 812. Theintermediary 810 may mix or otherwise obfuscate individual vote-valuetransfers and provide a compiled token with a compiled vote-valuetransfer to the answers with individual pseudonymous voter identitiesstripped.

Use of intermediaries may shift anonymity preservation issues from theanswer to the intermediary. In some cases, a voter may have control ofthe intermediary selection. For example, an organizer may selectanswers, but a voter may freely designate an intermediary (or select anintermediate from a listing of allowed intermediaries). Accordingly. thevoter may have more trust in the intermediary than the answer becausethe voter may control the selection of intermediaries while theorganizer designates the answers.

Referring now to FIG. 10, example intermediary vote-value compilinglogic (IVCL) 900 is shown. The IVCL 900 may access committed tokenstransferred to the IVCL's custody (902). The IVCL 900 may determinewhich of answers the individual committed tokens are targeted to (904).The IVCL 900 may compile the vote-value in committed tokens targeted toa particular answer into to a compiled token. The IVCL 900 may request acompiling transaction, the compiling transaction joining multiple tokenstargeted to a particular answer into a single compiled token (906). TheIVCL 900 may address the compiled token to the answer identifier (908).

In an example scenario, the IVCL 900 requests a compiling transactionthat includes a compiled token addressed to a particular answer. Thevote-value in the compiled token may be justified using committedtokens. The IVCL 900 may identify the committed tokens addressed to eachanswer. The compiling transaction may provide summation informationand/or range proofs for the committed tokens. The summation informationmay be used by auditors to confirm that the vote-value in the committedtokens is the same as the vote-value in the compiled token. The voters,e.g., through the ACVL 200 may certify the compiled transaction byrecording signed tokens to DLT record. The signed tokens may confirmthat the IVCL 900 correctly identified the addressees of the voters'committed tokens. Confidence in the electronics results may increasewith increasing numbers of signed tokens from distinct voters. Theintermediary balloting environment may protect voter anonymity withrespect to the answers by shifting the pseudonymity to the intermediary.The voters may send committed tokens to multiple answers. Accordingly,identifying a particular token from a voter as being addressed to aparticular answer does not necessarily divulge the vote-value committedwithin the token or that any vote-value was actually committed by theanswer.

In various implementations, peer-to-peer mixing may be used.Implementations, such as ValueShuffle, DiceMix, CoinShuffle++ describedin Ruffing and Moreno-Sanchez, Mixing Confidential Transactions:Comprehensive Transaction Privacy for Bitcoin, 2017,http://eprint.iacr.org/2017/238.pdf may be used. Therein, ValueShuffleand CoinShuffle++ are described as allowing transaction privacy thoughmixing in homomorphic commitments. The schemes take advantage of theadditive properties of the homomorphic commitments. For example, theschemes provide sums and differences of values used in a transactionwithout disclosing the sums themselves. In this case, when generatingtokens, the ACVL 200 (or other token transferring logic) may providesums and/or differences of transaction vote-values and blinding valuesin place of the actual values that are encrypted using the public key ofthe recipient of the committed token. These sums/differences allow theanswer to determine that sum of the vote-value received from multipletokens, but not necessarily the ability to determine individualvote-values from individual tokens. The schemes may be adapted butsubstituting Bitcoin values transferred in the transactions withvote-value transfers. Accordingly, using the above-describedpeer-to-peer mixing schemes anonymity may be preserved against rolesother than the voter casting the vote. In peer-to-peer mixing theintermediary may not necessarily be includes to protect anonymity.Hence, non-intermediary balloting environments may be used (e.g.,example balloting environment 100).

The methods, devices, architectures, processing, circuitry, and logicdescribed above may be implemented in many different ways and in manydifferent combinations of hardware and software. For example, all orparts of the implementations may be circuitry that includes aninstruction processor, such as a Central Processing Unit (CPU),microcontroller, or a microprocessor; or as an Application SpecificIntegrated Circuit (ASIC), Programmable Logic Device (PLD), or FieldProgrammable Gate Array (FPGA); or as circuitry that includes discretelogic or other circuit components, including analog circuit components,digital circuit components or both; or any combination thereof. Thecircuitry may include discrete interconnected hardware components or maybe combined on a single integrated circuit die, distributed amongmultiple integrated circuit dies, or implemented in a Multiple ChipModule (MCM) of multiple integrated circuit dies in a common package, asexamples.

Accordingly, the circuitry may store or access instructions forexecution, or may implement its functionality in hardware alone. Theinstructions may be stored in a tangible storage medium that is otherthan a transitory signal, such as a flash memory, a Random Access Memory(RAM), a Read Only Memory (ROM), an Erasable Programmable Read OnlyMemory (EPROM); or on a magnetic or optical disc, such as a Compact DiscRead Only Memory (CDROM), Hard Disk Drive (HDD), or other magnetic oroptical disk; or in or on another machine-readable medium. A product,such as a computer program product, may include a storage medium andinstructions stored in or on the medium, and the instructions whenexecuted by the circuitry in a device may cause the device to implementany of the processing described above or illustrated in the drawings.

The implementations may be distributed. For instance, the circuitry mayinclude multiple distinct system components, such as multiple processorsand memories, and may span multiple distributed processing systems.Parameters, databases, and other data structures may be separatelystored and managed, may be incorporated into a single memory ordatabase, may be logically and physically organized in many differentways, and may be implemented in many different ways. Exampleimplementations include linked lists, program variables, hash tables,arrays, records (e.g., database records), objects, and implicit storagemechanisms. Instructions may form parts (e.g., subroutines or other codesections) of a single program, may form multiple separate programs, maybe distributed across multiple memories and processors, and may beimplemented in many different ways. Example implementations includestand-alone programs, and as part of a library, such as a shared librarylike a Dynamic Link Library (DLL). The library, for example, may containshared data and one or more shared programs that include instructionsthat perform any of the processing described above or illustrated in thedrawings, when executed by the circuitry.

A1 In an example, a cryptographic voting method includes: obtaining aballot established on a distributed ledger, the ballot designatinganswers with corresponding answer identifiers; receiving, a voter token,the voter token conferring a voter vote-value to a voter, the votertoken received responsive to a transaction on the distributed ledgeraddressed to a voter identifier of the voter; determining a targetcommitted vote-value to assign to a target answer of the answers, thetarget committed vote-value including at least a portion of the votervote-value; generating a target committed token, the target committedtoken configured to bind the voter to the target committed vote-valuewithout revealing the target committed vote-value while in acryptographic form; determining a completion committed vote-value toassign to a second answer of the answers, the completion committedvote-value including a null or another portion of the voter vote-value;generating a completion committed token configured to bind the voter tothe completion committed vote-value without revealing the completioncommitted vote-value while in the cryptographic form; and requesting asecond transaction on the distributed ledger transferring the completioncommitted token to the corresponding answer identifier of the secondanswer.

A2 The cryptographic voting method of example A1, where the first andsecond transactions includes the same transaction.

A3 The cryptographic voting method of either of examples A1 or A2,where: the completion committed vote-value includes a null; andrequesting the second transaction includes obfuscating a transfer of atleast the portion of the vote-value transferred to the target answer.

A4 The cryptographic voting method of any of examples A1-A3, where: thevoter identifier is associated a public key of the voter; and digitallysigning the target committed token using a private key paired with thepublic key.

A5 The cryptographic voting method of any of examples A1-A4, furtherincluding deducting the target committed vote-value and the completionvote-value from the voter vote-value.

A6 The cryptographic voting method of example A5, where deducting thecompletion vote-value includes producing a resultant null votervote-value.

A7 The cryptographic voting method of any of examples A1-A6, furtherincluding sending a rest token back to the voter, the rest tokenincluding a remainder vote-value after the second transaction.

A8 The cryptographic voting method of any of examples A1-A7, wheregenerating the target committed token includes: applying the targetcommitted vote value to an amount point on an elliptic curve to generatean amount term; applying a random blinding value to a blinding point onthe elliptic curve to generate a blinding term; and combining the amountterm and the blinding term.

A9 The cryptographic voting method of example A8, further includingselecting the blinding point by applying a hash function to the amountpoint.

A10 The cryptographic voting method of any of examples A1-A9, furtherincluding generating a range-proof token, the range-proof tokenconfigured to, when compared to the target committed token, establishthat the target committed vote-value is within an allowed range for theballot.

B1 In an example, a cryptographic voting method includes: accessing, aballot established on a blockchain, the ballot designating multipleanswers with corresponding answer identifiers; determining a vote-valuedistribution to assign to the multiple answers, the vote-valuedistribution distributing a voter vote-value received within a votertoken; generating a committed token for each of the multiple answers,the committed tokens configured to bind a voter the vote-valuedistribution without revealing individual committed vote-values withinindividual committed tokens of the committed tokens while the committedtokens are in a cryptographic form; and at least one of the committedtokens including a null vote-value; and requesting a transaction on theblockchain transferring the committed tokens to the multiple answers,where transferring at least one of the committed tokens including thenull vote-value obfuscates the vote-value distribution.

B2 The cryptographic voting method of example B1, where generating thecommitted token for each of the multiple answers includes: applying theindividual committed vote-values to an amount point on an elliptic curveto generate individual amount terms; applying random blinding values toa blinding point on the elliptic curve to generate individual blindingterms; and combining the individual amount terms and the individualblinding terms.

B3 The cryptographic voting method of example B2, further includingselecting the blinding point by applying a hash function to the amountpoint.

B4 The cryptographic voting method of any of examples B1-B3, furtherincluding: generating a rest token configured to transfer a remaindervote-value; and requesting the transaction on the blockchain furtherincludes requesting a transfer of the rest token back to the voter.

C1 In an example, a cryptographic voting system includes: networkinterface circuitry configured to: obtain a ballot established on adistributed ledger, the ballot designating answers with correspondinganswer identifiers; and receive, a voter token, the voter tokenconferring a voter vote-value to a voter, the voter token receivedresponsive to a transaction on the distributed ledger addressed to avoter identifier of the voter; cryptologic voting circuitry incommunication with the network interface circuitry, the cryptologicvoting circuitry configured to: determine a target committed vote-valueto assign to a target answer of the answers, the target committedvote-value including at least a portion of the voter vote-value;generate a target committed token, the target committed token configuredto bind the voter to the target committed vote-value without revealingthe target committed vote-value while in a cryptographic form; using acryptographic key associated with the voter identifier, request a firsttransaction on the distributed ledger transferring the target committedtoken to the corresponding answer identifier of the target answer;determine a completion committed vote-value to assign to a second answerof the answers, the completion committed vote-value including a null oranother portion of the voter vote-value; generate a completion committedtoken configured to bind the voter to the completion committedvote-value without revealing the completion committed vote-value whilein the cryptographic form; and using the cryptographic key associatedwith the voter identifier, request a second transaction on thedistributed ledger transferring the completion committed token to thecorresponding answer identifier of the second answer.

C2 The cryptographic voting system of example C1, where the first andsecond transactions includes the same transaction.

C3 The cryptographic voting system of either of examples C1 or C2,where: the completion committed vote-value includes a null; and thecryptologic voting circuitry is configured to request the secondtransaction by obfuscating a transfer of at least the portion of thevote-value transferred to the target answer.

C4 The cryptographic voting system of any of examples C1-C3, where: thevoter identifier includes a public key of the voter; and the cryptologicvoting circuitry is configured to use the cryptographic key by digitallysigning the target committed token using a private key paired with thepublic key.

C5 The cryptographic voting system of any of examples C1-C4, thecryptologic voting circuitry is further configured to deduct the targetcommitted vote-value and the completion vote-value from the votervote-value.

C6 The cryptographic voting system of example C5, where the cryptologicvoting circuitry is configured to deduct the completion vote-value byproducing a resultant null voter vote-value.

D1 In an example, a cryptographic voting method includes: accessing aballot that designates answers; determining a vote-value distribution;causing generation of a compiled token by mixing a vote-value withvote-value from another voter; and causing a request for a transactionconveying the compiled token to a first one of the answers.

D2 The cryptographic voting method of example D1, where mixing avote-value includes executing a peer-to-peer mixing scheme.

D3 The cryptographic voting method of example D2, where executing apeer-to-peer mixing scheme includes executing the peer-to-peer mixingscheme without an intermediary.

D4 The cryptographic voting method of example D1 where mixing avote-value includes requesting a transaction to convey the vote-value toan intermediary.

D4 The cryptographic voting method of example D1, further includingimplementing any of the features of any of examples A1-A10 and B1-B4.

E1 In an example, a cryptographic voting organization method includes:generating a ballot with an answer, the answer including an answeridentifier configured to: direct reception of a committed tokenincluding a committed vote-value transferred from a voter, the committedtoken configured to bind a the voter to the committed vote-value withoutrevealing the committed vote-value while in an cryptographic form, thecommitted vote-value including a null or at least a portion of a votervote-value; generating an organizer token including an organizervote-value; establishing, on a distributed ledger, the ballot and theorganizer token; determining a vote-value distribution; requesting atransaction transferring a voter token to an voter identifier of thevoter, the voter token conferring the voter vote-value to the voter; andaccounting for the transaction by deducting the voter vote-value fromthe organizer vote-value.

E2 The cryptographic voting organization method of example E1, whererequesting the transaction further includes requesting that thetransaction send a rest token back to the organizer, the rest tokenincluding a remainder vote-value corresponding to the organizervote-value with at least the voter vote-value deducted.

E3 The cryptographic voting method of either of examples E1 or E2, wheregenerating the ballot includes generating a ballot allowing non-integervote-value transfers.

E4 The cryptographic voting organization method of any of examplesE1-E3, where generating the ballot includes designating an allowed rangefor vote-value transfers for the ballot.

E5 The cryptographic voting organization method of any of examplesE1-E4, where generating the ballot includes designating a public key toserve as the answer identifier.

E6 The cryptographic voting organization method of any of examplesE1-E5, where generating the ballot includes designating a public key toserve as the voter identifier.

E7 The cryptographic voting organization method of example E6, astructure for the transaction includes: the voter token; an amount fielddesignating the voter vote-value, the amount field encrypted with thepublic key; and a blinding field designating a blinding factor used toobfuscate the amount field, the blinding field encrypted with the publickey.

E8 The cryptographic voting organization method of any of examplesE1-E7, where: the distributed ledger includes a blockchain; andestablishing the ballot and the organizer token includes: causing theballot to be recorded on the blockchain; and designating a public key toserve as an organizer identifier.

E9 The cryptographic voting organization method of any of examplesE1-E8, generating a ballot further includes designating multiple pointson an elliptic curve for generation of token for transferringvote-value, the multiple points including: an amount point; and ablinding point.

E10 The cryptographic voting organization method of example E9, where:designating an amount point includes designating a cryptographic key toapply to a curve generation function for the elliptic curve; anddesignating a blinding point includes designating a hash function toapply to the amount point to generate the blinding point.

F1 In an example, a cryptographic voting organization system includes:memory configured to store a distributed ledger; and ballot organizationcircuitry in data communication with the memory, the ballot organizationcircuitry configured to: generate a ballot with an answer, the answerincluding an answer identifier configured to: direct reception of acommitted token including a committed vote-value transferred from avoter, the committed token configured to bind a the voter to thecommitted vote-value without revealing the committed vote-value while inan cryptographic form, the committed vote-value including a null or atleast a portion of a voter vote-value; generate an organizer tokenincluding an organizer vote-value; establish, on the distributed ledger,the ballot and the organizer token; determine a vote-value distribution;request a transaction transferring a voter token to an voter identifierof the voter, the voter token conferring the voter vote-value to thevoter; and account for the transaction by deducting the voter vote-valuefrom the organizer vote-value.

F2 The cryptographic voting organization system of example F1, where theballot organization circuitry is further configured to request thetransaction further by requesting that the transaction send a rest tokenback to the organizer, the rest token including a remainder vote-valuecorresponding to the organizer vote-value with at least the votervote-value deducted.

F3 The cryptographic voting organization system of either of examples F1or F2, where the ballot organization circuitry is further configured togenerate the ballot by generating a ballot allowing non-integervote-value transfers.

F4 The cryptographic voting organization system of any of examplesF1-F3, where the ballot organization circuitry is further configured togenerate the ballot by designating an allowed range for vote-valuetransfers for the ballot.

F5 The cryptographic voting organization system of any of examplesF1-F4, where the ballot organization circuitry is further configured togenerate the ballot by designating a public key to serve as the answeridentifier.

F6 The cryptographic voting organization system of any of examplesF1-F5, where generating the ballot includes designating a public key toserve as the voter identifier.

F7 The cryptographic voting organization system of example F6, where theballot organization circuitry is further configured to generate theballot by designating a structure for the transaction, the structureincluding: the voter token; an amount field designating the votervote-value, the amount field encrypted with the public key; and ablinding field designating a blinding factor used to obfuscate theamount field, the blinding field encrypted with the public key.

G1 In an example, a product includes machine-readable media other than atransitory signal; and instructions stored on the machine-readablemedia, the instructions configured to, when executed, cause a machineto: generate a ballot with an answer, the answer including an answeridentifier configured to: direct reception of a committed tokenincluding a committed vote-value transferred from a voter, the committedtoken configured to bind a the voter to the committed vote-value withoutrevealing the committed vote-value while in an cryptographic form, thecommitted vote-value including a null or at least a portion of a votervote-value; generate an organizer token including an organizervote-value; establish, on a distributed ledger, the ballot and theorganizer token; determine a vote-value distribution; request atransaction transferring a voter token to an voter identifier of thevoter, the voter token conferring the voter vote-value to the voter; andaccount for the transaction by deducting the voter vote-value from theorganizer vote-value.

G2 The product of example G1, the instructions are further configured tocause the machine to generate a ballot further by designating multiplepoints on an elliptic curve for generation of token for transferringvote-value, the multiple points including: an amount point; and ablinding point.

G3 The product of example G2, the instructions are further configured tocause the machine to: designate an amount point by designating acryptographic key to apply to a curve generation function for theelliptic curve; and designate a blinding point by designating a hashfunction to apply to the amount point to generate the blinding point.

H1 In an example, a cryptographic vote auditing method includes:increasing the security and accuracy of a distributed-ledger-basedcryptographic ballot system by: accessing a ballot recorded on adistributed ledger, the ballot establishing an answer with acorresponding answer identifier; accessing a voter transaction recordedon the distributed ledger; accessing a first voter token referencedwithin the voter transaction, the first voter token transferring a votervote-value for committed vote-value within committed tokens assigned bythe transaction, the committed tokens configured to bind the voters tothe committed vote-values without revealing the individual committedvote-values while in the cryptographic form, each of the committedvote-values including a null or at least a portion of a votervote-value; verifying the validity of the committed tokens by: withoutdependence on knowledge of individual committed vote-values, determininga verification sum by analyzing voter summation information for each ofthe committed tokens; and comparing the verification sum to the firstvoter token; and responsive to verifying the validity of the votertransaction, generating a validity indication.

H2 The cryptographic voting auditing method of example H1, furtherincluding recording the validity indication to the distributed ledger asa validity token.

H3 The cryptographic voting auditing method of either of examples H1 orH2, where comparing the verification sum to the first voter tokenincludes determining a mismatch between the verification sum and thefirst voter token, while the first voter token is in the cryptographicform.

H4 The cryptographic voting auditing method of example H3, where thesummation information includes information extracted from a range-prooftoken provided within the voter transaction.

H5 The cryptographic voting auditing method of either of examples H3 orH4, further including recording the validity indication to thedistributed ledger to invalidate the voter transaction.

H6 The cryptographic voting auditing method of any of examples H3-H5,further including recording the validity indication to the distributedledger to request a change to the voter transaction to match theverification sum.

H7 The cryptographic voting auditing method of any of examples H1-H6,further including: accessing an organizer token established on thedistributed ledger, the organizer token establishing an organizervote-value; and accessing an organizer transaction recorded on thedistributed ledger, the organizer transaction: referencing an organizertoken designating an organizer vote value; conferring voter tokens, thevoter tokens including the first voter token, to voters via voteridentifiers for the voters using the organizer token as a source token;and providing organizer summation information for each of the votertokens.

H8 The cryptographic voting auditing method of example H7, whereverifying the validity of the voter transaction further includescomparing the organizer token to the organizer summation information.

H9 The cryptographic voting auditing method of any of examples H1-H8,where: the method further includes accessing a range-proof token withinthe voter transaction; and verifying the validity of the votertransaction further includes comparing the range-proof token to a firstcommitted token of the committed tokens to determine whether a firstcommitted vote-value transferred via the first committed token is withinan allowed range for the ballot.

H10 The cryptographic voting auditing method of example H9, furtherincluding determining that the first committed vote-value is within theallowed range for the ballot by determining that the vote-value isnon-negative.

H11 The cryptographic voting auditing method of any of examples H1-H10,where analyzing summation information includes summing over keys storedwithin a range-proof token within the voter transaction.

H12 The cryptographic voting auditing method of any of examples H1-H10,where verifying the validity of the committed tokens includes comparingthe recipient identifier of the first voter token to a voter identifierfor a voter that requested the voter transaction.

I1 In an example, a cryptographic vote auditing system includes: networkinterface circuitry configured to: access a ballot recorded on adistributed ledger, the ballot establishing an answer with acorresponding answer identifier; access a voter transaction recorded onthe distributed ledger; and access a first voter token referenced withinthe voter transaction, the first voter token transferring a votervote-value for committed vote-value within committed tokens assigned bythe transaction, the committed tokens configured to bind the voters tothe committed vote-values without revealing the individual committedvote-values while in the cryptographic form, each of the committedvote-values including a null or at least a portion of a votervote-value; and ballot auditing circuitry in data communication with thenetwork interface circuitry, the ballot auditing circuitry configuredto: verify the validity of the committed tokens by: comparing therecipient identifier of the first voter token to a voter identifier fora voter that requested the voter transaction; without dependence onknowledge of individual committed vote-values, determining averification sum by analyzing voter summation information for each ofthe committed tokens; and comparing the verification sum to the firstvoter token; and responsive to verifying the validity of the votertransaction, generate a validity indication.

I2 The cryptographic voting auditing system of example I1, where theballot auditing circuitry is further configured to record the validityindication to the distributed ledger as a validity token.

I3 The cryptographic voting auditing system of either of examples I1 orI2, where the ballot auditing circuitry is further configured to comparethe verification sum to the first voter token by determining a mismatchbetween the verification sum and the first voter token, while the firstvoter token is in the cryptographic form.

I4 The cryptographic voting auditing system of example I3, where thesummation information includes information extracted from a range-prooftoken provided within the voter transaction.

I5 The cryptographic voting organization system of either of examples I4or I3, where the ballot auditing circuitry is further configured torecord the validity indication to the distributed ledger to invalidatethe voter transaction.

I6 The cryptographic voting auditing system of any of examples I1-I5,where the ballot auditing circuitry is further configured to record thevalidity indication to the distributed ledger to request a change to thevoter transaction to match the verification sum.

I7 The cryptographic voting auditing system of any of examples I1-I6,where the ballot auditing circuitry is further configured to: access anorganizer token established on the distributed ledger, the organizertoken establishing an organizer vote-value; and access an organizertransaction recorded on the distributed ledger, the organizertransaction: referencing an organizer token designating an organizervote value; conferring voter tokens, the voter tokens including thefirst voter token, to voters via voter identifiers for the voters usingthe organizer token as a source token; and providing organizer summationinformation for each of the voter tokens.

J1 In an example, a product includes: machine-readable media other thana transitory signal; and instructions stored on the machine-readablemedia, the instructions configured to, when executed cause a machine to:access a ballot recorded on a distributed ledger, the ballotestablishing an answer with a corresponding answer identifier; access avoter transaction recorded on the distributed ledger; access a firstvoter token referenced within the voter transaction, the first votertoken transferring a voter vote-value for committed vote-value withincommitted tokens assigned by the transaction, the committed tokensconfigured to bind the voters to the committed vote-values withoutrevealing the individual committed vote-values while in thecryptographic form, each of the committed vote-values including a nullor at least a portion of a voter vote-value; verify the validity of thecommitted tokens by: comparing the recipient identifier of the firstvoter token to a voter identifier for a voter that requested the votertransaction; without dependence on knowledge of individual committedvote-values, determining a verification sum by analyzing voter summationinformation for each of the committed tokens; and comparing theverification sum to the first voter token; and responsive to verifyingthe validity of the voter transaction, generate a validity indication.

J2 The product of example J1, where the instructions are furtherconfigured to analyze summation information by summing over keys storedwithin a range-proof token within the voter transaction.

K1 In an example, a system includes circuitry configured to implementthe cryptographic voting method of any of examples A1-A10, B1-B4, D1-D4,E1-E11, and H1-H12.

L1 In an example, a product includes instructions stored on a machinereadable medium, the instructions configured to cause a machine toimplement the cryptographic voting method of any of examples A1-A10,B1-B4, D1-D4, E1-E11, and H1-H12.

M1 In an example, a method includes implementing any of or anycombination of the features described in the preceding disclosure.

N1 In an example, a system is configured to implement any of or anycombination of the features described in the preceding disclosure.

Various implementations have been specifically described. However, manyother implementations are also possible. Various implementations havebeen specifically described. However, many other implementations arealso possible. For instance, any of the components and functionality inthe architecture may be hosted in virtual machines managed by a cloudservices provider. That is, while some implementations may be completelylocalized within a given enterprise, other implementations arecompletely migrated into the cloud, or are hybrid implementations withmixed local and cloud implementation. Regarding querying devices, thesmartphones applications and desktop computers noted above are justparticular examples, and other querying devices may be used, includinghands-free systems in vehicles, digital personal assistants insmartphones or desktop PCs, hands-free control systems for the home, andmany other types of devices.

What is claimed is:
 1. A method including: receiving authority todistribute, on behalf of a voter, vote-value among multiple answersdesignated on a ballot; determining to distribute an entirety of thevote-value among a subset of the multiple answers; committing theentirety of the vote-value to the subset by causing generation of atarget committed token that bindingly assigns vote-value to at least oneanswer of the subset, the target committed token having a targetencrypted form that conceals an amount of vote-value assigned;obfuscating the commitment of the vote-value to the subset by causinggeneration of a completion committed token that assigns a null value toat least one answer of the multiple answers that is not within thesubset, the completion committed token having a completion encryptedform that conceals the null value assignment; and causing recordation ofthe committed tokens in one or more transactions on a distributedledger.
 2. The method of claim 1, where the target committed tokenincludes a target key associated with the target encrypted form.
 3. Themethod of claim 2, where the target key is encrypted with a public keyassociated with the at least one answer of the subset.
 4. The method ofclaim 1, where the ballot constrains vote-value assignments to integervalues.
 5. The method of claim 1, where the ballot constrains vote-valueassignments to a selection between binary values.
 6. The method of claim1, where committing the entirety of the vote-value to the subset andobfuscating the commitment of the vote-value to the subset togetherinclude assigning some vote-value or a null value to every answer of themultiple answers.
 7. The method of claim 1, further including:generating a summation token with summation information for thecommitted token, the completion token, or both.
 8. The method of claim7, where the summation information indicates that the vote-valuetransferred in the committed token and the completion token does notexceed the entirety of the vote-value.
 9. The method of claim 1, wherean organizer token conveyed the authority to distribute the vote-valueto the voter.
 10. The method of claim 9, where the organizer tokenincludes a commitment of the vote-value to the voter, the commitmentsecured by encrypting a key using a public key associated with thevoter.
 11. A system including: communication circuitry configured to:receive authority to distribute, on behalf of a voter, vote-value amongmultiple answers designated on a ballot; processing circuitry configuredto: determine to distribute an entirety of the vote-value among a subsetof the multiple answers; commit the entirety of the vote-value to thesubset by causing generation of a target committed token that bindinglyassigns vote-value to at least one answer of the subset, the targetcommitted token having a target encrypted form that conceals an amountof vote-value assigned; obfuscate commitment of the vote-value to thesubset by causing generation of a completion committed token thatassigns a null value to at least one answer of the multiple answers thatis not within the subset, the completion committed token having acompletion encrypted form that conceals the null value assignment; andcause recordation of the committed tokens in one or more transactions ona distributed ledger.
 12. The system of claim 11, where the targetcommitted token includes a target key associated with the targetencrypted form.
 13. The system of claim 12, where the target key isencrypted with a public key associated with the at least one answer ofthe subset.
 14. The system of claim 11, where the ballot constrainsvote-value assignments to integer values.
 15. The system of claim 11,where the ballot constrains vote-value assignments to a selectionbetween binary values.
 16. The system of claim 11, where the processingcircuitry is configured to commit the entirety of the vote-value to thesubset and obfuscate commitment of the vote-value to the subset byassigning some vote-value or a null value to every answer of themultiple answers.
 17. A product including: non-transitorymachine-readable media; and instructions stored on the non-transitorymachine-readable media, the instructions configured to, when executed,cause a machine to: receive authority to distribute, on behalf of avoter, vote-value among multiple answers designated on a ballot;determine to distribute an entirety of the vote-value among a subset ofthe multiple answers; commit the entirety of the vote-value to thesubset by causing generation of a target committed token that bindinglyassigns vote-value to at least one answer of the subset, the targetcommitted token having a target encrypted form that conceals an amountof vote-value assigned; obfuscate commitment of the vote-value to thesubset by causing generation of a completion committed token thatassigns a null value to at least one answer of the multiple answers thatis not within the subset, the completion committed token having acompletion encrypted form that conceals the null value assignment; andcause recordation of the committed tokens in one or more transactions ona distributed ledger.
 18. The product of claim 17, where: theinstructions are further configured to cause a machine to generate asummation token with summation information for the committed token, thecompletion token, or both; and the summation information indicates thatthe vote-value transferred in the committed token and the completiontoken does not exceed the entirety of the vote-value.
 19. The product ofclaim 17, where an organizer token conveyed the authority to distributethe vote-value to the voter.
 20. The product of claim 19, where theorganizer token includes a commitment of the vote-value to the voter,the commitment secured by encrypting a decryption key using a public keyassociated with the voter.